1. Field of the Invention
The inventive arrangements pertain to computer security, and more specifically, to enhancing computer network security through improved management of dynamic network sessions.
2. Description of Related Art
The Internet comprises an interconnected and globally expansive network of networks through which information, files, and programs (i.e., data) are exchanged across various electronic pathways. Accessing the Internet generally comprises gaining access to these electronic pathways through an Internet Access Gateway (“IAG”) or other Internet Access Device.
Unlike a circuit-switched network, such as a traditional phone line, in a packet-switched network, such as the Internet, no component of the network is dedicated exclusively to a specific sender and receiver for the duration of a session therebetween. Thus, insular and unbroken connections between the sender and receiver are not established across the network, and as a result, data packets are not transmitted and received sequentially along the electronic pathways. Rather, the Internet embraces a client-server model in which data packets are transmitted and received according to various protocols, including a Transmission Control Protocol (“TCP”), which breaks the data into data packets at a sender and reassembles them at a receiver, and an Internet Protocol (“IP”), which routes the data packets to the correct receiver.
According to the Ethernet, each individual data packet contains approximately 1,500 bytes and contains header information that is used to reassemble the data packets at the receiver, which generally arrive out of order by virtue of the various electronic pathways along which they traveled across the network. As the TCP creates each data packet, it also commonly calculates and adds to the header information a checksum, which is a number that is based on the packet size and content of the data packet, and used at the receiver to determine if the data packet was corrupted during transmission, whereupon retransmission is initiated if the checksum fails. Alternatively, for example, if streaming technologies retransmitted data packets based on failed checksums, retransmitted packets could bombard, overwhelm, and eventually interrupt a sound player at the receiver, significantly hampering effective audio and video playback. Thus, streaming technologies commonly use a connectionless User Datagram Protocol (“UDP”) in which data packets are transmitted and received without regard to an end-to-end handshake such as a checksum.
Regardless, whether by TCP or UDP, the IP attaches addressing information to each data packet before placing each data packet into a virtual envelope. Addressing information is used to route each data packet from the sender to the receiver through the network, and it is generally identical for all data packets in a related data stream. It often contains the sender's and receiver's IP addresses, the amount of time to retain the data packet, a preferred number of hops the data packet can take en-route, and other such information. Although addressing information commonly comprises the first line of the data packet, it can also comprise a specified number of bytes at a specified location within the packet.
A session between a client and server usually begins with a service request transmitted from the client to the server. During this session, the server services the request whereupon multiple messages are commonly exchanged between the client and the server throughout the session. The session terminates if either the client or server terminates its connection to the other. However, it has become commonplace in certain protocols for a primary session with a primary server to generate one or more additional sessions with one or more additional servers and the client. If the client resides behind a firewall or utilizes Network Address Translation (“NAT”), acceptance of non-requested data packets from the additional servers could compromise the client's security policies.
Due to the inherently dynamic nature of plural sessions, however, managing dynamic network sessions is not easily accomplished. For example, in this context, many IAGs suffer from one or more of the following shortcomings: failure to recognize proper relationships between primary sessions and additional sessions; forced firewall and/or NAT disablement if enabled; reconfigured firewalls to allow all data packets to pass in order to prevent discrimination against additional session data packets, thereby decreasing firewall effectiveness; inspecting the entire contents of the data packet instead of the header and addressing information; and implementing complex protocol decoders to negotiate new ports for the additional sessions. Accordingly, prior art solutions are unsatisfactory. They significantly increase memory requirements, retard throughput, and require patching, upgrading, or reinstalling the IAG each time a new protocol is deployed that is capable of generating plural sessions. Moreover, security can be compromised for IAGs that inspect the contents of each data packet. For example, if the IAG uses information contained in the body of the data packet to dynamically reconfigure the firewall or perform NAT—such as opening a firewall port or creating NAT port mappings—mischievants can proactively attack the IAG by constructing protocol messages that contain malicious information. When malicious information cannot be distinguished from non-malicious information, the IAG remains vulnerable to attack. What are needed, therefore, are universally applicable systems and methods for effectively and efficiently managing dynamic network sessions at an IAG.
While numerous objects, advantages, and aspects of the present invention will become apparent from the following description, reference is made in the description to the accompanying drawings which form a part hereof, and in which there is shown, by way of illustration, a preferred embodiment of the present invention. Such embodiment does not represent the full spirit or scope of the invention, however, and reference must also be made to the claims herein for properly interpreting the spirit and scope of this invention.